HACKING: Why no one wants to hack for the US government

21/04/2014

The FBI and Pentagon plan to hire 6,000 cybersecurity professionals by 2016, but they’re having a really rough time recruiting people to work for them. There could be many reasons why – low pay, not enough American-born resources – but it all might really come down to one thing: that the US treats hackers as the worst possible criminals. So why would a hacker want to work for them?

Like this:

Really that’s pretty much what the situation comes down to: It’s mostly posturing. Politicians want ‘cyber’ capabilities and ‘black hat’ armies to boast about. Well, there are a small number of hackers who’d be only too thrilled to join up (the kind of people working in Silicon Valley).

I reckon there are three reasons why it’s not working out:
a) The required skills are bloody hard to develop in the first place, and they’re skills only a minority in the security field overall appear to posess (70% of it being management, compliance, policy, etc.). Remember how long it took us to find that DLL vulnerability several months ago?
b) Out of the tiny minority of people with the requisite skills, probably a fraction would pass the vetting stage. Even Steve Jobs himself wouldn’t have been granted a clearance.
c) Education is very expensive in the United States, and the skillsets they’re looking for are taught as Masters’ level. Most graduates would have to take a higher paying job just to repay their loans.

Most would undertake the Phd if offered funding for Cyber Security… there’s no lack of candidates. Yes, the training takes years and years of dedication… So you’d assume they’d relax some of their intake rules, but alas, critical thinking might not be their strongest trait.

I agree on the nonsense regarding the higher vetting criteria that go into uncles and aunts etc. It’s like Simon Weston was not allowed to be our Police Commissioner, when he would have been fantastic. You could be a war hero, but still fail vetting.
That’s why many didn’t vote in the Police elections… the vetting system would not permit the best candidate to stand.. so no-one voted. That’s civil disobedience at it’s best.

The UK has to decide… does it want enough candidates in Cyber Security… or uphold the vetting rules. The vetting rules means only weaker candidates are put forward, which isn’t good for the country.

Aptitude, ability, motivation, dedication are all more important. So if it came to a cyber war… the UK would lose. She hasn’t the trained numbers to fight back… she hasn’t allowed the most able to join the ranks. It’s game over.

No. You’re bang on correct, but I doubt it would ever come to a ‘cyber war’. Sure, there’ll still be plenty of ‘cyber skirmishes’, though.
What I see happening is independent security researchers (like ourselves) being the deciding factor, as we have the expertise and the latitude to collaborate openly. The outcome of that could be a prevention of ‘cyber wars’ and perhaps mass surveillance eventually being obsoleted. That’s even possible to a great extent without violating the Official Secrets Act.

It’s a shame to hear about Simon Weston. He would have been a near perfect commissioner.

I love defence of civilian infrastructure… the way that civilian infrastructure could be compromised in cyber warfare. Look at our water, electricity… how simple is that to disrupt?

We have idiots at the electricity companies promoting “smart meters”. Even GCHQ are saying that smart meters could be attacked and shut down in a war.

Cyber warfare will probably be used to generate panic in the civilian world… more than likely it will be asymmetrical warfare against civilian infrastructure. If you cut off water supply, you’d cause mass panic. If you cut off electricity, you’d cause mass panic.

Is the UK protecting that infrastructure?

No, we’re letting them promote “smart meters”. If the power distribution network can wirelessly cut off power, then so can an enemy.

Sure, skirmishes. They’re actually happening already – pretty much all online attacks are isolated incidents because every network is different in some way. If a foreign power really wanted to attack civilian infrastructure, the attack would be limited to a particular area or region. But then we’ve all experienced the odd power cut anyway. Attacking infrastructure also requires a lot of effort and the payoff is quite limited. It would require making stuff happen within whatever parameters are allowed at the hardware level, and looking for stuff engineers overlooked when building in the falsafes.

In fact, society is now so reliant on the Internet there’s no need to touch the utilities. A foreign power might cause far more damage simply by disrupting the communications of banks, ATM networks, email providers. If we can take over entire Active Directory domains within minutes, so could foreign ‘information warfare’ groups. Add a DDoS and several colossal data breaches into the mix…

And these days, Ralph is wondering, out loud, whether our reliance on digital systems to manage critical infrastructure has gone too far. The answer, he suggests, may be to go “back to the future,” as it were: reintroducing analog systems into the control process chain as a backstop for cyber attacks.